InfoSec Handlers Diary Blog

In today's Stormcast, Johannes summarizes the current issue with some of the software that comes pre-installed on Dell Laptops. In short, Dell Foundation Services- which is used for remote management - allows unauthenticated WMI queries to be processed through a simple SOAP interface. We've used WMI in many stories for reconnaissance, pentesting and attack activities (check out our Diary Archives and Search function for more on this).

Anyway, on one hand, an IT Manager might say "who better to write desktop management software than the hardware vendor". A smarter IT Manager might say "no, someone who builds hardware for a living is the *worst* person to buy software from, especially if it's free software". Maybe the ground lies somewhere in between - I typically format every new machine, use the vendor hardware drivers for whatever OS I install, and stop there (at least as far as hardware vendor code goes)

Long story short, after the past year of Superfish and Dell's equivalent of Superfish, and now this, I hope it's time we all look at the special presents we get "for free", preinstalled on new hardware!

In a typical security assessment, you'll do authenticated scans of internal hosts, looking for vulnerabilities due to missed patches or configuration issues. I often use Nessus for this, but find that for a typical IT manager, the Nessus findings can be overwhelming. While a pentester might look for a specific Java or Flash vulnerability, the IT manager doesn't want to know that "station x has 26 Java vulnerabiities". They want to know that "station x needs Java updated, and this is how not updating will affect the business. In a perfect world, that same IT manager might also ask "why exactly do we have Flash and Java installed all over the place?", but maybe that's a story for a different day.

Anyway, on a typical, medium sized network, you can count on hundreds of thousands of findings in an authenticated Nessus scan. In years past, I would have written some fancy sed / cut scripts to slice and dice this data, or maybe import the lot into a database and start from there on analysis. Today though, I'm using Powershell - it's free, it's easy, and it's installed everywhere already, so your client can replicate both the findings and the process.

First, let's import the CSV file that we get from Nessus. From the count, you can see exactly why this process can be so useful:.

Now on to the useful part - which hosts are affected? Many of these hosts have dozens of discrete flash vulnerabilities, but for the IT manager, the "fix list" is the first important thing, and the second is "how do we prevent this going forward?"

Next we'll tackle Java. Not the "or" operator (|), and also that the match operator is case insensitive. Be careful though, because field names are *definitely* case sensitive. It's easy to get a "zero" result if you mess up on case and accidentally end up querying an empty variable. For Java, in this example we cut the 50,000-ish findings down to a short, useful list of 222.

So, what other issues do you want to hunt for, to whittle that total down?